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(54) Method of settling charges 

(57) An IC card (6) has a card information memory 
area wherein there are written a master public key nA, 
card secret keys pU and qU, a card public key nil, a 
card identification number IDU, and a first master digital 
signature SA1 for information including the card identifi- 
cation number. An IC card terminal (2a, 2b) has terminal 
information memory area wherein there are written a 
master public key nA, terminal secret keys pT and qT, a 
terminal public key nT, a terminal identification number 
IDT, and a second master digital signature SA2 for infor- 
mation including the terminal identification number IDT 
When inserted into the IC card terminal, the IC card 
sends thereto the data nil, IDU, and SA1. The IC card 
terminal verifies the digital signature SA1 by the master 
public key nA and, if it is valid, transmits the data nT, IDT 
and SA2 to the IC card. TTie IC card verifies the digital 
signature SA2 by the master public key nA and, if it is 
valid, transmits information corresponding to the current 
remainder value V to the IC card terminal. The IC card 
terminal makes a check to see if the received informa- 
tion corresponding to the remainder value V is appropri- 
ate, and if so, becomes enabled for providing a service. 



FIG. 1 



,2b 



IC CARD 
TERM 



/2a 



IC CARD 
TERM 




MANAGEMENT 
CENT 



/5 



IC CARD 
DISPENSER 



IC CARD 



Q. 
LU 



Primed by Xerox (UK) Business Services 
2.16.3/3.4 



Description 



EP 0 856 821 A2 



BACKGROUND OF THE INVENTION 

The present invention relates to a method and 
apparatus for settlement of accounts by IC cards which 
are used as prepaid cards of credit cards. 

For instance, in an IC card which is used as a pre- 
paid card, there is written the amount of money paid for 
its purchase, and before or after receiving a service the 
card user inserts the IC card into an IC card terminal, 
wherein the remaining value after subtracting the 
charge fa the service from the initial value is transmit- 
ted to and written into the IC card. 

In a conventional system of this kind, the IC card 
and the IC card terminal use the same cipher system 
and have the same secret key and communicate to 
each other the balance information enciphered by the 
common secret key. IC card and IC card terminal are 
designed so that such a secret key cannot be found nor 
can it be altered even if IC card terminal should be 
revealed to an outsider. 

On the other hand, in the case of an IC card for use 
as a credit card, its identification number and other nec- 
essary information are preregistered and the user is 
allowed to receive his desired service when inserting 
the IC card into an IC card terminal and is charged for 
the service afterward. In a conventional IC credit card 
system, upon insertion of the IC card into the IC card 
terminal, the latter is connected online to a manage- 
ment center where IC card identification numbers and 
other user information are registered, then the user 
inputs his registration number and other required infor- 
mation by dialing, the thus input information is sent to 
the management center, wherein the user information 
registered in advance is used to verify the validity of the 
user. After the user's validity is thus proved, the user is 
allowed to receive his or her desired service at the IC 
card terminal. 

Such an IC credit card system similarly adopts, with 
a view to providing increased security, a method in 
which: the IC card and the IC card terminal use the 
same cryptographic scheme and have the same secret 
key and they each authenticate she other's validity; a 
password input into the IC terminal is checked with its 
counterpart prestored in the IC card; the IC card identi- 
fication number read out of the IC card is sent from the 
IC card terminal to the management center which has a 
data base of identification numbers and other informa- 
tion of IC cards; the IC card identification number is ver- 
ified in the management center; the result of the 
verification is transmitted to the IC card terminal; and 
when the IC card identification thus checked in the man- 
agement center is valid, the service specified by the 
card user starts through the IC card terminal. In some 
cases, the IC card and the management center each 
authenticate the other's validity directly through use of 
the same secret key - 



The conventional ml^Ps mentioned above all call 
for communication between the management center 
and the IC card terminal and online processing for veri- 
fication before or after the service is provided, and 

s hence they have shortcomings that the management 
center facility is inevitably large-scale and that the 
charge for the service includes communication 
expenses. Moreover, the history of service can be 
stored in the management center or IC card but difficulty 

to is encountered in proving that the stored contents are 
not false. Although it is almost impossible to falsify the 
stored contents of the IC card unless the secret key is 
let out, the secret key information in the IC card or IC 
card terminal is not perfectly protected and may in some 

15 cases leak out in a long time. In the case where the 
cryptographic scheme used is broken by third parties 
and many IC terminals are used by them, particularly in 
the event that IC cards and IC terminals are abused by 
unauthorized persons over a wide range, it is very diff i- 

20 cult to change all of the secret keys at the same time- 
this poses a serious social problem as well-intentioned 
users cannot use their IC cards for a long period of time, 
for instance. 

25 SUMMARY OF THE INVENTION 

It is therefore an object of the present invention to 
provide a method and apparatus for the payment of 
charges by IC cards which eliminate the need for com- 

30 munication between the management center and the IC 
card terminal each time the card user inserts his IC card 
into the latter to receive his desired service and which 
permit detection of abuse of a forged IC card or inten- 
tionally altered IC card terminal. 

35 This object is achieved with a method as claimed in 
claim 1. 

Preferred embodiments of the invention are sub- 
ject-matter of the dependent claims. 

A digital signature scheme capable of proving that a 

40 person who transmitted digital information acknowl- 
edged it, just like he puts his seal to a document, is 
already established as disclosed in, for example, 
"ESIGN: An Efficient Digital Signature Scheme," NTT R 
& D Vol. 40, No. 5, 1991, pp687-686. or U.S. Patent No. 

45 4,625,076. According to the digital signature scheme, a 
document M and a secret key Q are used and a digital 
signature S(M) is created using a signature creating 
function, then the signature S(M) and the document M 
are transmitted to the other party. The other party per- 

so forms a computation by substituting the received docu- 
ment M and signature S(M) and a public key U into a 
signature verifying function. If the computed result satis- 
fies predetermined conditions, then it is verified that the 
digital signature S(M) was attached to the document M 

55 by a person having the secret key Q, and he cannot 
deny the fact. In this instance, the Q and U are different 
prime numbers of extremely large values (that is, Q * 
U), and this scheme features a mathematical property 
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that the value Q cannot be^Plputed even if the value 
of U is known. Furthermore, even if slightly altered, the 
document can be proved invalid. It is set forth in the 
above-noted literature that these digital signature func- 
tions could be executed within a practical processing 5 
time on the scale of a program mountable on IC cards, 
through utilization of an algorithm called ESIGN. 

Other digital signature schemes applicable to the 
present invention are an EIGamal scheme (T. E. EIGa- 
mal : A public key cryptosystem and a signature scheme 10 
based on discrete algorithm, Proc. of Crypto'84, 1984), 
a DSA (Digital Signature Algorithm, made public by the 
National Institute of Standards and Technology of the 
U.S. Department of Commerce) scheme, and a Micali- 
Shamir scheme (S. Micali and A. Shamir: An improve- 15 
ment of the Fiat-Shamir identification and signature 
scheme, Proc. of Crypto '88, pp244-247, 1988), for 
instance. 



BRIEF DESCRIPTION OF THE DRAWINGS 
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algorithm; 

Fig. 12 is a diagram illustrating a modification of the 
Fig. 10 embodiment which employs random num- 
bers; 

Fig. 13 is a diagram showing procedures for regis- 
tering a password in an IC card applied to a credit 
card, by use of the IC card terminal; 
Fig. 14 is a diagram showing procedures for receiv- 
ing a service by use of the IC card with the pass- 
word registered therein by the process depicted in 
Fig. 13; 

Fig. 15 is a diagram showing another example of 
the password registration procedure; 
Fig. 1 6 is a diagram showing procedures for receiv- 
ing a service by use of an IC card with the password 
registered therein by the process depicted in Fig. 
15; and 

Fig. 17 is a diagram illustrating another embodi- 
ment of procedures for receiving a service by use of 
an IC card applied to a credit card. 



Fig. 1 is a block diagram illustrating the system con- 
figuration of an embodiment of the present inven- 
tion; 

Fig. 2 is a block diagram showing an example of the 25 
configuration of an IC card terminal; 
Fig. 3 is a block diagram showing an example of the 
configuration of an IC card; 
Fig. 4A is a diagram showing processing of a man- 
agement center for setting the IC card terminal ; 30 
Fig. 4B is a diagram showing processing of an IC 
card dispenser when dispensing the IC card; 
Fig. 4C is a diagram showing procedures between 
the IC card and the IC card dispenser for dispens- 
ing and recharging the latter; 35 
Fig. 5 is a diagram showing procedures between 
the IC card and the IC card terminal; 
Fig. 5A is a functional block diagram of the IC card 
in the embodiment of Fig. 5; 

Fig. 5B is a functional block diagram of the IC card 40 
terminal in the embodiment of Fig. 5; 
Fig. 6 is a diagram showing another example of the 
procedure between the IC card and the IC card ter- 
minal; 

Fig. 7 is a diagram showing, by way of example, 45 
procedures between the IC card, the IC card termi- 
nal and the management center at the time of writ- 
ing amount-of-money information into the IC card; 
Fig. 8 is a block diagram showing the distribution of 
encrypting keys for cipher communication between so 
the IC card, the IC card terminal, the IC card dis- 
penser and the management center; 
Fig. 9 is a diagram showing the payment of charges 
by the IC card according to another embodiment of 
the present invention; 55 
Fig. 10 is a diagram illustrating a modified form of 
the Fig. 5 embodiment which utilizes a time stamp; 
Fig. 1 1 is a diagram showing a time stamp updating 



DESCRIPTION OF THE PREFERRED EMBODI- 
MENTS 

In Fig. 1 there is illustrated in block form an example 
of the configuration of a card system for making the pay- 
ment of charges through use of an IC card according to 
the present invention. IC card terminals 2a, 2b, ... per- 
form processing for the payment of charges for services 
rendered to an IC card 6. For example, when the IC card 
6 is a prepaid telephone card, the IC card terminals 2a, 
2b, ... provide service by telephone. The IC card termi- 
nals 2a, 2b, when installed, are each connected via 
a communication network 3 to a management center 4 
which sets and holds security information under its con- 
trol. In the following description the IC card terminals will 
be indicated generally by a numeral 2 except when a 
particular one of them is intended. The IC card 6 has ini- 
tial data written by the IC card dispenser 5 when it is 
issued, and security information necessary for the IC 
card 6 is provided from the management center 4. Inci- 
dentally, in the case where some functions of the man- 
agement center 4 are mounted on a portable telephone 
terminal or the like so that they are brought to the place 
where the IC card terminal 2 is located, the IC card ter- 
minal 2 need not always be connected via the commu- 
nication network 3 to the management center 4 when it 
is installed. 

Fig. 2 illustrates an example of the internal configu- 
ration of the IC card terminal 2 and Fig. 3 an example of 
the internal configuration of the IC card 6. The IC card 
terminal 2 comprises an IC card reader/writer 11 which 
reads and writes the IC card 6 inserted thereinto, func- 
tion buttons 12 as of a keyboard, a display 13, a tele- 
phone controller 14, a network interface 15 for 
processing communication via the communication net- 
work 3, a handset 16 and a speech circuit 1 7. 

In the IC card 6 there are stored in a ROM 61 pro- 
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grams for IC card procedures, signature creating 
and verifying algorithms and so forth, and a CPU 63 
controls the entire processing of the IC card while utiliz- 
ing a RAM 62 as a work area and communicates with 
the IC card reader/writer 1 1 of the IC card terminal 2 via 
an I/O interface 65 and contacts 66. 

Fig. 4A shows the process that is performed when 
the IC card terminal 2 is installed. The IC card terminal 
2 receives from the management center 4 such pieces 
of terminal information as listed below when it is 
installed. 

(1) Master public key nA for verifying a master dig- 
ital signature of the management center 4; 

(2) Terminal secret keys pT and qT for the IC card 
terminal 2 to create a digital signature; 

(3) Terminal public key nT for verifying the digital 
signature of the IC card terminal 2; 

(4) Terminal identification number IDT for identify- 
ing the IC card terminal 2; and 

(5) Master digital signature SA(nT: * IDT) by the 
management center for the terminal public key nT 
and the terminal identification number IDT, where 
the symbol " * " represents concatenation-for 
example, 001 * 0101=0010101. 

After receiving these pieces of information, the IC 
card terminal 2 verifies the validity of the master digital 
signature SA(nT * IDT) through use of the terminal pub- 
lic key nT, the terminal identificaion number IDT and the 
master public key nA, and if the master digital signature 
SA(nT * IDT) is valid, then the IC card terminal 2 records 
these pieces of information in a terminal information 
area 2M 1 of a memory in the telephone controller 14. 
No description will be given of the method for verifying 
the digital signature, because it is disclosed in the afore- 
noted various digital signature schemes. As described 
previously, the verification of the digital signature S(M) 
generally calls for an unsigned full document M and a 
public key for verification use, but in the following 
description there are cases where a simplified descrip- 
tion, "the digital signature is verified using the public 
key" or "digital signature is verified" is used. 

Incidentally, the management center 4 has set 
therein its master secret keys pA and qA and has func- 
tions of creating a different terminal identification 
number IDT for each IC card terminal 2 and the terminal 
public key nT and the terminal secret keys pT and qT 
corresponding to the terminal identification number IDT 

It is preferable that the terminal secret keys pT and 
qT be recorded in the terminal information area 2M 1 in 
the IC card terminal 2 which is not easily accessible 
from the outside, for example, in a RAM of a one-chip 
CPU or battery backup RAM of a construction wherein 
the power supply from the battery is cut off when the IC 
card terminal 2 is abused. 

In Fig. 46 there is shown the process that is per- 
formed by the IC card dispenser 5 when it issues the IC 



card 6. The IC card 6 l^pPes from the IC card dis- 
penser 5 such pieces of card information listed below 
that need to be held in the IC card 6. These pieces of 
information are provided in advance from the manage- 
5 ment center 4 to the IC card dispenser 5. 

(1) Master public key nA for verifying the master 
digital signature of the management center 4; 

(2) Card secret keys pU and qU for the IC card 6 to 
10 create it digital signature; 

(3) Card public key nU for verifying the digital signa- 
ture of the IC card 6; 

(4) Card identification number IDU for identifying 
the IC card 6; 

15 (5) Master digital signature SA(nU * IDU) of the 
management center 4 for the card public key nU 
and the card identification number IDU. 

After receiving these pieces of card information, the 

20 IC card 6 verifies the validity of the master digital signa- 
ture SA(nU * IDU) through use of the master public key 
nA and, if it is valid, the IC card 6 records these pieces 
of card information in a predetermined area (hereinafter 
referred to as a card information area) 6Mi in an EEP- 

25 ROM 64. Since the EEPROM 64 in the IC card 6 usually 
is not directly accessible from the outside, these pieces 
of card information cannot be read out to the outside of 
the IC card unless a predetermined procedure is exe- 
cuted. In particular, the card secret keys pU and qU 

30 need not be read out to the outside of the IC card 6 after 
once recorded therein, and hence they may preferably 
be held unreadable. In the process shown in Fig. 4B an 
amount of money is not yet written into the IC card 6. 
The management center 4 has functions of creating 

35 a different card identification number IDU for each IC 
card and the card public key nU and the card secret 
keys pU and qU corresponding to the IC card identifica- 
tion number IDU. 

Fig. 4C shows processing for writing into the IC 

40 card 6 the amount of money prepaid therefor when it is 
a prepaid card. The procedure shown in Fig. 4C is used 
for initial issuing of the IC card 6 and recharging an 
amount of money into the IC card 6 when no money is 
left over. 

45 The IC card 6 transmits to the IC card dispenser 5 
the public key nU, the identification number IDU and the 
master digital signature SA(nU * IDU) which it read out 
of the card information area 6M 1 . The IC card dispenser 
5 verifies the master digital signature SA(nU * IDU) by 

so the master public key nA preset therein and, if valid, rec- 
ognizes that the IC card is valid. In this instance, the IC 
card dispenser 5 transmits to the IC card 6 a master dig- 
ital signature SA(V * IDU) for a prepaid amount of 
money V (i.e. an initial value of the remainder) and the 

55 card identification number IDU and the amount of 
money V, provided from the management center 4, and 
an IC card dispenser identification number IDC preset in 
the IC card dispenser 5. The IC card 6 verifies the mas- 
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ter digital signature SA(V by the master public 
key nA and. if valid, records these pieces of information 
in a usage information area 6M 2 of the EEPROM 64 in 
the IC card 6. 

It is also possible to employ a system configuration 
in which, for each IC card issuing process, the IC card 
dispenser 5 is connected online to the management 
center 4 to transmit thereto the IC card identification 
number IDU and the value V received from the IC card 
6 and the IC card dispenser 5 receives, in turn, the mas- 
ter digital signature SA(V * IDU) of the management 
center 4. Alternatively, these pieces of information may 
be prestored in the IC card dispenser 5. 

Fig. 5 shows processing for the card user to receive 
a service from the IC card terminal 2 by use of the IC 
card 6 which is a prepaid card. Figs. 5A and 5B show 
functional blocks of the IC card 6 and the IC card termi- 
nal 2. In this case, however, random generating parts 
6C and 2C are shown corresponding to an embodiment 
described later in respect of Fig. 6. In the usage infor- 
mation area 6M 2 of the EEPROM 64 in the IC card 6 
there are recorded, as card usage information, the initial 
value V, master digital signature SA(V * IDU) and card 
dispenser identification number IDC. When the user 
inserts the IC card 6 into the IC card reader/writer 1 1 of 
the IC card terminal 2, the card public key nU, the card 
identrficaion number IDU and the master digital signa- 
ture SA(nU * IDU) are sent from the IC card 6 to the IC 
card terminal 2. 

The IC card terminal 2 verifies the master digital 
signature SA(nU * IDU) by the master public key nA in a 
verifying part 2A (Fig. 5B) and, if valid, sends via a 
transmitting/receiving part 2E to the IC card 2 the 
pieces of terminal information nT. IDT and SA(nT * IDT) 
read out of the terminal information area 2M-,. The IC 
card 6 receives these pieces of terminal information via 
a transmitting/receiving part 6D and verifies the validity 
of the master digital signature SA(nT * IDT). If it is valid, 
then the remaining value V, the identification number 
IDC and the master digital signature SA(V * IDU), which 
are pieces of card usage information read out of the 
usage information area 6M 2 of the memory 64 in the IC 
card 6, and a digital signature SU(V) of the IC card, 
which is generated for the value Vina digital signature 
creating part 6B through use of the card secret keys pU 
and qU, are sent to the IC terminal 2. 

The IC card terminal 2 verifies the received digital 
signature SU(V) by the card public key nU and the value 
V in the verifying part 2B. If it is valid, then the IC termi- 
nal 2 further checks the master digital signature SA(V * 
IDU) by the pieces of information nA, V and IDU to 
ensure that the value V has not been falsified, after 
which the IC terminal 2 displays the remaining value V 
of the IC card 6 on a display 13. While referring to the 
guidance provided on the display 13, the user specifies 
his desired service by pressing the function buttons 12. 
The IC card terminal 2 reads out the charge for the thus 
specified service from a list prestored in a memory of 



the telephone contr8^pF4 or accesses the communi- 
cation network 3 and receives the necessary service 
charge information via the network interface 15 from the 
communication network 3 or a service center (not 

5 shown). The IC card terminal 2 compares the charge for 
the service (hereinafter referred to as a service charge) 
v and the remaining value V and, when the latter is 
larger than the former, the IC card terminal 2 begins to 
provide the specified service. For example, in the case 

10 of a telephone service, when the value V is 10 yen or 
more, the IC card terminal 2 provides a prompt on the 
display 13 for input of the telephone number of a sub- 
scriber to be called and originates a call as the user 
dials the number. 

15 In the above, when any one of the digital signatures 
is found invalid through verification, the IC card terminal 
2 stops processing at that point and ejects or returns the 
IC card 6 to the user. 

After completion of the service or call, the tele- 

20 phone controller 14 of the IC card terminal 2 (a remain- 
ing value updating part 2D in Fig. 5B) subtracts the 
service charge v--prestored in the memory of the tele- 
phone controller 14 or transmitted from the communica- 
tion network 3 or service center-from the remaining 

25 value V to obtain a new remaining value V, after which 
the telephone controller 14 creates, in its digital signa- 
ture creating part 2B, a terminal digital signature ST(V 
* IDU) for the value V and the card identification number 
IDU through use of the terminal private keys pT and qT. 

30 Then the IC card terminal 2 sends the value V and the 
digital signature ST(V' * IDU) to the IC card 6. 

The IC card 6 verifies the received digital signature 
ST(V' * IDU) by the public key nT in the verifying part 6A 
and, rf it is valid, records the remaining value V and the 

35 other pieces of information nT, IDT, SA(nT * IDT) and 
ST(V' * IDU) received from the IC card terminal 2, as 
card usage information, in the usage information area 
6M 2 of the EEPROM 64, erasing the previous card 
usage information. That is, the card usage information 

40 in the usage information area 6M 2 is updated as indi- 
cated by the arrow in Fig. 5. 

ft is also possible to employ a configuration in which 
in the case of updating the usage information area 6M 2 
in the EEPROM 64 of the IC card 6 with the current card 

45 usage information including the new remaining value V 
received from the IC card terminal 2, the current remain- 
ing value V* is compared with the previous remaining 
value V in the usage information area 6M 2 and if the lat- 
ter is greater than the former, then the new remaining 

so value V is regarded as abnormal or invalid. When such 
an abnormality is detected, the usage information area 
6M 2 of the IC card 6 is not updated but instead a code 
representing the abnormality detection is written into 
the IC card 6 to prevent its further use. This ensures to 

55 prevent the remaining value of the IC card 6 from being 
raised by altering the IC card terminal 2. Upon comple- 
tion of the updating of the usage information area 6M 2 . 
an authentication information (OK) representing it is 
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sent to the IC card terminal 2. 

In this embodiment, when either one of the digital 
signatures SA and ST is abnormal, the remaining value 
is not updated but instead the abnormal contents of the 
IC card are recorded in a code form. 5 

Since the IC card 6 and the IC card terminal 2 
transmit to and receive from each other their identifica- 
tion numbers appended with the master digital signa- 
ture of the management center as mentioned above, 
even if the transmitted and received contents are falsi- 10 
f ied by altering the IC card 6 or IC card terminal 2, the 
abuse can be detected by the verification of the digital 
signature at the receiving side. Moreover, even if the 
contents of the IC card could be copied to another IC 
card using a stolen IC card terminal, the falsification of is 
the master digital signature of the management center 
for the card identification number is so difficult that there 
is no choice but to copy it; hence, such a copy can be 
checked by acquiring data of the abused IC card. 

In Fig. 6 there are shown procedures for providing 20 
increased security against wire tapping of communica- 
tion between the IC card 6 and the IC card terminal 2 
through use of random numbers in the procedure of 
sending the remaining value V from the former to the 
latter. 25 

When the IC card terminal 2 recognizes the validity 
of the IC card 6 inserted thereinto, by verifying the mas- 
ter digital signature SA(nU * IDU) received from the IC 
card 6 as described above with respect to Fig. 5, the IC 
card terminal 2 generates a random number R in a ran- 30 
dom generating part 2C (Fig. 5B) and sends it to the IC 
card 6 together with the pieces of information nT, IDT 
and SA(nT * IDT). The IC card 6 verifies the master dig- 
ital signature SA(nT * IDT) by the master public key nA 
and the received pieces of information nT and IDT. 35 
When the master digital signature is valid, the IC card 6 
generates a random number X in a random generating 
part 6C (Fig. 5A) and creates a digital signature SU(R * 
X * V) of the IC card 6 for the random number R, the ran- 
dom number X and the remaining value V by use of the 40 
card secret keys pU and qU and then sends the thus 
created digital signature to the IC card terminal 2 
together with the random number X and the pieces of 
card usage information V, SA(V * IDU) and IDC read out 
of the usage information area 6M 2 . 45 

The IC card terminal 2 checks the master digital 
signature SA(V * IDU) to ensure that the remaining 
value V was provided from a valid terminal (including an 
IC card dispenser) to the IC card 6. Furthermore, the IC 
card terminal 2 verifies the digital signature SU(R * X * so 
V) through use of the received X, V, the card public key 
nU and the previously generated random number R to 
ensure that the remaining value V is one that was 
received from the valid IC card 6. Then the IC card ter- 
minal 2 permits the start of the service specified by the 55 
card user. 

Upon completion of the service, the IC card termi- 
nal 2 generates a digital signature ST(R * X * V * IDU) 
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for a new remaining vl^^T, the card identification 
number IDU and the random numbers R and X and 
sends it to the IC card 6 together with the new remaining 
value V\ The IC card 6 verifies the digital signature 
ST(R * X * V * IDU) by the pieces of information IDU, R. 
X, V" and nT to ensure that the remaining value V is 
valid, thereafter updating the usage information area 
6M 2 with all the pieces of information received from the 
IC card terminal 2. 

With such a configuration, the random numbers R 
and X take different values for each use of the IC card, 
and consequently, the digital signatures SU and ST also 
change. Hence, even if an outsider intercept signals 
between the IC card 6 and the IC card terminal 2 and 
sends to the latter the same signals as those inter- 
cepted without using any IC card, the signals do not 
match because of different random numbers; therefore, 
wrong manipulation can be prevented. Moreover, even if 
the intercepted signals are sent by some means to the 
IC card 6 in the process of updating the remaining 
value, the signals do not match, and hence such wrong 
manipulation can be prevented. 

Fig. 7 shows procedures which provide increased 
security through use of random numbers at the time of 
writing the prepaid value into the IC card 6 when it is ini- 
tially issued or recharged. It is assumed here that the IC 
card dispenser 5 and the management center 4 are 
connected online as shown in Fig. 1 . 

When inserted into the IC card dispenser 5, the IC 
card 6 sends thereto the card public key nU, the card 
identification number IDU and the master digital signa- 
ture SA(nU * IDU). The IC card dispenser 5 verifies the 
validity of the master digital signature SA(nU * IDU) by 
the master public key nA to ensure that the IC card is 
valid. Then the IC card dispenser 5 generates a random 
number Y and sends it to the IC card 6 together with the 
amount information V and the dispenser identification 
number IDC. 

The IC card 6, in turn, generates the random 
number X and then generates a digital signature SU(Y * 
X * V) for the random numbers Y and X and the amount 
information V, thereafter sending it to the IC card dis- 
penser 5 together with the random number X. 

The IC card dispenser 5 verifies, in turn, the digital 
signature SU(Y * X * V) by the card public key nU and, if 
it is valid, transmits the random numbers X and Y, the 
amount information V and the card identif icaion number 
IDU to the management center 4. 

The management center 4 generates a master dig- 
ital signature SA(Y * X * V * IDU) for these pieces of 
information received from the IC card dispenser 5 and 
transmits it therethrough to the IC card 6. The IC card 6 
recognizes the validity of the management center 4 
through verification of the master digital signature SA(Y 
* X * V * IDU) by the master public key nA and records 
the entire information received from the IC card dis- 
penser 5 in the usage information area 6M2 in the mem- 
ory 64. 



6 



EP0 856 821 A2 



12 



Incidentally, the IC cail^Ppenser 5 may be of a 

configuration wherein it does not perform the verifica- 
tion processing but only reads and writes data into the 
IC card 6. In such an instance, the IC card dispenser 5 
functions only as a relay for the respective information, 5 
and the verification of digital signatures and the genera- 
tion of the random number are preformed by the man- 
agement center 4. 

Fig. 8 shows procedures for setting a secret key 
which is used not only to encrypt the contents of com- io 
munication at the transmitting side but also to decrypt 
them at the receiving side so as to prevent the informa- 
tion from being stolen or falsified on the communication 
path between the management center 4, the IC card ter- 
minal 2, the IC card 6 and the IC card dispenser 5 which 15 
are each located at a place remote from the others and 
transmit information thereto using a communication pro- 
cedure. 

The management center 4 has an encrypting func- 
tion E for cipher communication, a temporary common 20 
key Ktemp and a common key KO for encryption use, 
and a key creating master key KA for deriving encrypt- 
ing keys KT and KU for cipher communication from spe- 
cific information such as terminal and card identification 
numbers IDT and IDU. In this case, it is possible to use, 25 
as the encrypting function E, an algorithm FEAL dis- 
closed in "Fast data encipherment algorithm FEAL," 
IECEJ Technical Report IT 86-33 (1986), for instance. 
The encipherment of the document M by the key K will 
be indicated by EK {M} . 30 

The IC card terminal 2 has the temporary common 
key Ktemp recorded in its memory when it was manu- 
factured, and when it is installed, it receives the encrypt- 
ing terminal key KT and the common key KO by a cipher 
communication using the temporary common key 35 
Ktemp and records these keys KO and KT in the mem- 
ory. Thereafter, the transmission and reception of sig- 
nals between the management center 4 and the IC card 
terminal 2, described previously in conjunction with Fig. 
4A, are carried out by cipher communication using the 40 
key KT inherent to the terminal 2. 

The IC card 6 has the temporary common key 
Ktemp recorded in its memory when it was fabricated, 
and when it is issued, it receives the encrypting key KO 
and the common key KO via the IC card dispenser 5 45 
and records these keys KU and KO in the memory. The 
encrypting key KU is generated from the card identifica- 
tion number IDU under the master key KA. 

The key KU may be delivered from the manage- 
ment center 4 to the IC card dispenser 5 together with so 
the pieces of data nA, IDU, ... when they are delivered 
as described previously with respect to Fig. 5B. After 
this, the transmission and reception of signals between 
the IC card 6 and the IC card dispenser 5 described pre- 
viously in respect of Figs. 4B and 4C are performed by ss 
ciper communication using the key KU inherent to the 
card 6. 

On the other hand, the transmission and reception 



of signals between !^PC card terminal 2 and the IC 
card 6 shown in Figs. 5 and 6 are carried out by cipher 
communication using the common key KO. 

In the case where the IC card dispenser 5 and the 
management center 4 are connected online as 
described previously with reference to Fig. 7, the trans- 
mission of the card identification number IDU from the 
IC card 6 to the management center 4 enables the latter 
to derive the key KU from the card identification number 
IDU by use of the master secret key KA; therefore, it is 
possible to provide increased security by using the 
encrypting key KU inherent to the card, in place of the 
common key KO, for writing the prepaid amount into the 
card or recharging it 

While the foregoing description has been given on 
the assumption that the IC card dispenser 5 and the 
management center 4 are located at different places, 
they may be formed as a unitary structure with each 
other, and it is also possible to enclose the IC card dis- 
penser 5 and the IC card terminal 2 in the same hous- 
ing. Moreover, in the cases of transmitting the terminal 
secret keys pT and qT from the management center 4 to 
the IC card terminal 2 and transmitting the card secret 
keys pU and qU from the IC card dispenser 5 to the IC 
card 6, security can be further increased by transmitting 
the keys together with the master digital signature of the 
management center 4 and by verifying the signature at 
the receiving side. 

According a the embodiments of Figs. 5 and 6, 
since the IC card 6 and the IC card terminal 2 each 
transmit the identification number and the public key to 
the other together with the master digital signature of 
the management center 4, even if the contents of com- 
munication are falsified by, for example, forcing the IC 
card terminal 2 open, the falsification can be detected 
by verifying the master digital signature of the manage- 
ment center 4 at the receiving side. Furthermore, even 
if the contents of the IC card 6 could be copied to 
another IC card by a stolen IC card terminal, for 
instance, the falsification of the master digital signature 
of the management center 4 is so difficult that there is 
no choice but to copy it intact; therefore, the copy could 
be checked by acquiring data of the IC card used. 

Besides, it is impossible to issue an IC card equiva- 
lent to a normal or valid one by altering a stolen IC card 
terminal or through use of a personal computer and an 
IC card reader unless the master secret key for generat- 
ing the master digital signature of the management 
center, placed under strict supervision, is known. In 
addition, since the validity of the IC card and the IC card 
terminal is verified by the identification number 
appended with the master digital signature of the man- 
agement center 4 as referred to above, the IC card ter- 
minal 2 does not need to inquire of the management 
center 4 about the validity of the IC card 6 prior to or dur- 
ing the service being rendered. 

Turning next to Fig. 9, a description will be given of 
an embodiment of the invention improved from the Fig. 
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6 embodiment applied to the pr^VT card system. As in 
the Fig. 6 embodiment, the IC card system, each IC 
card terminal and the IC card are basically identical in 
configuration with those shown in Figs. 1, 2 and 3, 
except that the IC card terminals 2a. 2b, ... each have a 
list of invalid IC card identification numbers IDU1, IDU2, 
... prestored in a memory area 2M 2 of its internal RAM 
as described later on. The invalid identification number 
list is written into the memory area 2M 2 by a down load 
from the management center 4, for instance, when the 
IC card terminal 2 is installed, and thereafter the list is 
updated by the management center 4 as required. 

Fig. 9 shows processing for the card user to receive 
his desired service at the IC card terminal 2b different 
from that 2a used previously. The pieces of information 
or data prestored in the card information area 6M 1 of the 
EEPROM 64 of the IC card 6 and in the terminal infor- 
mation area 21^ of the RAM in the telephone controller 
14 of the IC card terminal 2b are the same as in the 
case of the Fig. 6 embodiment. In this case, however, 
symbols representing pieces of information or data 
inherent to the respective IC card terminals 2a and 2b 
will be identified by superscripts "a M and "b", respec- 
tively. In the usage information area 6M 2 of the memory 
64 of the IC card 6 there is retained the previous usage 
information, which includes the remaining value V, the 
terminal identification number IDT, the terminal public 
key nT 8 , the random numbers R a and X, the master dig- 
ital signature SAfnT 8 * IDT 8 ) and the terminal digital sig- 
nature ST(R a * X * V * IDT®) received from the IC card 
terminal 2a used previously as described in connection 
with Fig. 6. The IC card terminal 2b has the afore-men- 
tioned list of invalid card identification numbers IDU1, 
IDU2, ... in another area 2M 2 of the memory. 

When inserted into the IC card terminal 2b different 
from that used previously, the IC card 6 sends thereto 
the card identification number IDU, the card public key 
nil and the master digital signature SA(nU * IDU). The 
IC card terminal 2b matches the received card identifi- 
cation number IDU with the list of the invalid card identi- 
fication numbers prestored in the memory area 2M 2 
and, when no match is detected, the IC card terminal 2b 
verifies the master digital signature SA(nU * IDU). If this 
signature is valid, the IC card terminal 2b generates a 
random number R b and sends it to the IC card 6 
together with a terminal public key nT* a terminal iden- 
tification number IDU b and a master digital signature 
SA(nT* * IDT 45 ). 

The IC card 6 verifies the master digital signature 
SAfnT* * IDT 6 ) and, if it is valid, generates a random 
number X' and a card digital signature SU(R b * X* * V) 
for the random numbers R b and X* and the remaining 
value V and sends them to the IC card terminal 2b 
together with the pieces of the previous card usage 
information or data R a , X, IDT*, nT 8 , ST*(R a * X * V * 
IDU) and SA(nT* * IDT 8 ). 

The IC card terminal 2b verifies the card digital sig- 
nature SU(R b * X' * V), and the terminal digital signa- 



ture sr(R a * X * V and the master digital 

signature SAfnT* * IDT 8 ) of the previous card usage 
information all received from the IC card 6. When all the 
digital signatures are valid, the IC card terminal 2b dis- 
5 plays the remaining value V and a guidance or prompt 
on the display 13. The user specifies his desired service 
by pressing function buttons 12 and receives the serv- 
ice. Upon completion of the service, the IC card terminal 
2b creates a new remaining value V" and a terminal dig- 
to ital signature ST*(R b * X* * V" * IDU) and sends them to 
the IC card 6. 

The IC card 6 verifies the terminal digital signature 
received from the IC card terminal 2b and, if it is valid, 
then updates the usage information area 6M 2 with all 
15 the pieces of information received from the IC card ter- 
minal 2b and sends thereto an authentication signal OK. 
On the other hand, the IC card terminal 2b then gener- 
ates usage management information h from the card 
identification number IDU, the random numbers R a and 
20 X, the terminal identification number IDT 8 and the 
remainder value V received from the IC card 6 and tem- 
porarily records them in another area 2M 3 of the RAM in 
the telephone controller 14, together with the card iden- 
tification number IDU. In this case, the usage manage- 
rs ment information h may be a numerical sequence 
composed of, for instance, IDU, R a , X, IDT 8 and V, or its 
data-compressed version by a hash function. 

The card identification number and the data of 
usage information stored in the IC card terminal 2b are 
30 sent to the management center 4 at proper time inter- 
vals, for example, every day. In the database 4D in the 
management center 4 there are registered card identifi- 
cation numbers (IDU 0 . IDU 1p IDU 2 , ...) and IC card 
usage management information (h 0 i, h 02 , h 03 for IDU 0 , 
35 for example) received so far. Upon newly receiving a 
card identification number and usage management 
information, the management center 4 first retrieves the 
card identification number. When the same card identi- 
fication number is not found, the card identification 
40 number and the accompanying usage management 
information received from the IC card terminal 2b are 
newly registered. When the same card identification 
number is found, the usage management information of 
the card identification number already registered and 
45 the usage management information newly received are 
compared and checked to see if they are the same. If 
not, the latter is additionally registered as new usage 
management information. If the same usage manage- 
ment information is found, then the card identification 
so number is registered in the invalid card list 4L (as 
IDU 100 ). 

When having registered the card identification 
number in the invalid card list 4L, the management 
center 4 calls all of the IC card terminals 2 and transmits 
55 the registered card identification number to the IC card 
terminals 2, wherein rt is additionally registered in the 
invalid card identification number list of the memory 
area 2M 2 . Hence, when the IC card of that card identifi- 
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cation number is used, it cd^pBedded to be abnormal 
by checking its card identification number and its use 
can be inhibited. By constructing the management 
center 4 so that upon registration of the card identifica- 
tion number in the invalid card list 4L, all pieces of data 5 
of that card identification number in the database 4D are 
erased, the data retrieval time can be reduced. Moreo- 
ver, by constructing the IC card terminal 2 so that it 
stores new remaining value information as well as the 
card identification number and the usage/management 10 
information and transmits the new remaining value 
information to the management center 4 together with 
the usage/management information and by providing a 
database of remaining value information corresponding 
to each card identf ication, the remaining value informa- 75 
tion can be used to specify the remaining value, for 
example, when the data of the IC card 6 is destroyed. 

As will be seen from comparison of Figs. 4C and 7 
with Figs. 5, 6 and 9, although in the above the IC card 
6 does not initially have, for example, the digital signa- 20 
ture ST(R * X * V * IDU) and the terminal public key nT 
of the IC card terminal 2 in the usage information area 
6M 2 of the EEPROM 64, it is a matter of course that if 
initial values corresponding to them are recorded in the 
initial state as well, the usage/management information 25 
can be generated from the beginning of the use of the 
IC card and the whole usage/management information 
can be held under the control of the management center 
4. 

While in the above the IC card 6 and the IC card ter- 30 
minal 2 are configured so that they have, in their card 
information areas 6M 1 and terminal information area 
2M 1( the secret keys pU, qU and pT, qT for generating 
digital signatures and the public keys nil and nT for 
them, respectively, and transmit desired pieces of infor- 35 
mation together with the digital signatures, it is also pos- 
sible to omit such a function to simplify the processing of 
the IC card system. 

Also it is possible to omit either one of the random 
number R and X although security decreases. Con- 40 
versely, by prestoring algorithms for encipherment of 
information to be transmitted and a common key for 
encipherment and decipherment in memories of the IC 
card 6 and the IC card terminal 2, the mutual communi- 
cation between them can be made by cipher communi- 45 
cation to provide further increased security. 

As described above, according to the Fig. 9 embod- 
iment, since particular card information numbers are 
registered in the card identification number list of the IC 
card terminal 2, it is possible to inhibit the use of IC so 
cards of the registered card identification numbers. Fur- 
thermore, when the IC card 6 is used, at least the termi- 
nal identification number identifying the IC terminal 
used and the random number generated by at least one 
of the IC card 6 and the IC card terminal 2 are regis- 55 
tered as previous information in the IC card 6 and when 
the IC card 6 is used next, at least the card identification 
number and usage/management information derived 
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from the card identrf^^n number, the remaining value 
before updating and the previous information are regis- 
tered and supervised in the management center as 
information for specifying the initial state of the IC card 
6 only in the case of updating the remaining value infor- 
mation. When the card identification number and the 
usage/management information of the currently used IC 
card 6 match those already registered, the card identifi- 
cation number is registered as abnormal in the card 
identification number list of the IC card terminal 2, by 
which it is possible to inhibit further use of the IC card 6 
of the same card identification number as that regis- 
tered. 

Referring next to Fig. 10, another embodiment of 
the present invention will be described as being applied 
to a prepaid card system. 

Fig. 10 shows procedures for the payment of 
charges by the IC card 6 in an improved version of the 
Fig. 5 embodiment. As in the Fig. 5 embodiment, the IC 
card system, the IC card terminal 2 and the IC card 6 
are basically identical in configuration with those 
depicted in Figs. 1 , 2 and 3. In this instance, however, 
the IC card terminal 2 has in the ROM of the telephone 
controller a program which executes an algorithm for 
updating a time stamp as described later on. For exam- 
ple, the afore-noted FEAL can be used as the algorithm 
for updating the time stamp. 

TTie initial value TS 0 of the time stamp TSt may be 
recorded in a memory area 2M 4 of the RAM in the tele- 
phone controller 14 after being received from the man- 
agement center 4 via the communication network 3 
when the IC card terminal 2 is installed; alternatively, it 
may also be preset in the memory area 2M 2 of the RAM 
in the telephone controller 14 when the IC card terminal 
2 is fabricated. Update information i is initialized to a "0", 
for instance, and it is incremented by 1 upon each 
updating the time stamp TS t . In the RAM of the tele- 
phone controller 14 there is provided a terminal list area 
2M 5 for registering a list of terminal identification num- 
bers IDT of stolen or similarly troubled IC card termi- 
nals, initial values TSo of the time stamp corresponding 
to them and the update information t at the time when 
each trouble was found. 

In the configuration of Figs. 1 through 3, the termi- 
nal identification number IDT, the initial value TS 0 of the 
time stamp and the update information t set in each IC 
card terminal 2 are registered in the management 
center 4. The time stamp TSt set in the respective IC 
card terminal 2 is independently updated by its internal 
timer from the initial value TS 0 , for example, every day 
under a predetermined algorithm; namely, the time 
stamp is replaced with a new time stamp in a sequential 
order (TSo -> TSt -> -> - TS t -> •*-]■ and tnus ft® 
previous time stamps disappear one after another. The 
updating of the time stamp need not always be periodic 
but may also be periodic. Upon each updating of the 
time stamp, the number of updates (i.e. the update infor- 
mation or data) t is updated to t+1 . Each time stamp TS t 
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and the update information t ne^Pfily to correspond to 
each other, that is, the time stamp may be a mere sym- 
bol and need not be a quantity. 

Upon updating the update information t, the IC card 
terminal 2 automatically calls the management center 4 
and transmits thereto the terminal identification number 
and the renewed update information. The management 
center 4 replaces the received update information t for 
the preregistered update information t of the corre- 
sponding terminal identification number IDT. Inciden- 
tally, it is necessary to utilize, for updating the time 
stamp TSt , an algorithm which generates the succeed- 
ing time stamp TSt +1 from the current time stamp TS t 
under an encryption algorithm E using an encrypting 
key K, as exemplified in Fig. 1 1, to thereby prevent the 
previous time stamp from generation. The afore-noted 
algorithm FEAL, for instance, can be used as such an 
algorithm. The initial value TS 0 of the time stamp regis- 
tered in the management center 4 is not updated. In 
such a state, when the IC card terminal 2 is stolen, the 
management center 4 is capable of detecting, from the 
terminal identification number IDT of the stolen IC card 
terminal 2, the initial value TSq of the time stamp of the 
stolen IC card terminal 2 and the update information t of 
the time stamp at the time when the IC card terminal 2 
was stolen. These pieces of information or data are reg- 
istered in the terminal list of all IC card terminals 2 by a 
down load from the management center 4. 

Fig. 1 0 is explanatory of the processing for the user 
to receive his desired service at the IC card terminal 2b 
through use of the IC card 6. In the Fig. 10 embodiment, 
however, the IC card 6 side has no digital signature gen- 
erating function. In the card information area 61^ of the 
EEPROM 64 of the IC card 6 there are stored the mas- 
ter public key nA, the card identification number IDU 
and the master digital signature SA(IDU) and in the 
usage information area 6M 2 there are stored the 
remaining value V, the terminal identification number 
IDT*, the terminal public key nT*. the update information 
t a , the terminal digital signature ST* (TS a t) for the time 
stamp TS a t and the master digital signature SA(nT* * 
IDT*) which are the card usage information received 
from the IC card terminal 2a previously used, In this 
example the master digital signature SA(IDU) held in 
the IC card 6 is shown to be a master digital signature 
for only the identification number of the IC card, but it is 
also possible to use a master digital signature SA(IDU * 
mil) for the concatenation of the identification number 
IDU and predetermined information mU. 

In the terminal information area 2M 1 of the RAM in 
the telephone controller 14 of the IC card terminal 2b 
there are stored the terminal identification number IDT 5 , 
the terminal secret keys pT and qT for creating the dig- 
ital signature, the terminal public key nT* 5 , the master 
public key nA and the master digital signature SArJDT* 5 
* nT* 5 ) and in another predetermined area 2M 4 there are 
recorded the latest time stamp TS b t and the update 
information t 6 of the IC terminal 2b. In still another area 



EP 0 856 821 A2 18 

2M 5 of the RAM in th rd terminal 2b there are 
recorded, as a table, terminal identification numbers 
ID"P, IDT*, ... of stolen or similarly troubled IC card ter- 
minals, their time stamps TSi 0 , TS k 0 and update 

5 information f t* ... at the points when they were found, 
which are provided from the management center 4. 

When inserted into the IC card reader/writer 1 1 of 
the IC card terminal 2b, the IC card 6 sends thereto the 
identification number IDU and the master digital signa- 
10 ture SA(IDU) as in the embodiments described above. 
The IC card terminal 2b verifies the received master dig- 
ital signature SA(IDU) by the master public key nA and, 
rf it is valid, then sends the identification number IDT* 5 , 
the terminal public key nT* 5 and the master digital signa- 
15 ture SAflDT* 5 * nT* 5 ) of the IC card terminal 2b itself to 
the IC card 6. TTien the IC card 6 verifies the validity of 
the received master digital signature SArJDT* 5 * nT* 5 ) by 
the master public key n A. The process performed so far 
is the same as in the embodiment of Fig. 5. 
20 When the master digital signature SArJDT* 5 * nT* 5 ) is 
valid, the IC card 6 sends pieces of the previous card 
usage information V, IDT*, t*. nT\ ST^TS^) and SA(nT* 
* IDT*) to the IC card terminal 2b. The IC card terminal 
2b matches the received card identification number 
25 IDT* with each piece of the data IDT*, IDT*, ... in the 
troubled terminal list and, when they do not match, dis- 
plays remaining value V and a guidance or prompt on 
the display 13. When the user specifies his desired 
service by pressing the function buttons 12 while refer- 
30 ring to the guidance displayed on the display 13, the IC 
card terminal 2b reads out the charge v for the specified 
service from a list prestored in a memory of the tele- 
phone controller 14 or receives the charge v from the 
service center (not shown) via the communication net- 
35 work 3. Then the IC card terminal 2b compares the 
charge v and the remaining value V and starts to pro- 
vide the specified service when the remaining value V is 
larger than the service charge v. Upon completion of the 
service, the IC card terminal 2b subtracts the service 
40 charge v from the remaining value V to obtain a new 
remainder value V and generates a digital signature 
ST^CTS^ for the current time stamp TS b t by the termi- 
nal secret or private keys pT* 5 and qT* 5 and sends it to 
the IC card 6 together with the pieces of data V and t 6 . 
45 The IC card 6 updates the usage information area 6M 2 
in the EEPROM 64 with all the pieces of information 
received from the IC card terminal 2b together with the 
remaining value V. 

In the above processing, when the terminal identif i- 
50 cation number IDT 6 sent to the IC card terminal 2b 
matches with any one of those in the troubled terminal 
list, the following processing is performed. 



(1) Let ID"P represent the terminal identification 
55 number in the list that matched the terminal identifi- 
cation number IDT* 5 sent to the IC card terminal 2b. 
The initial value TSi Q of the time stamp correspond- 
ing to the terminal identification number ID"P is 
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recurrsively calculated^^b number of updating of 
the update information t 8 received from the IC card 
6 under the algorithm of Fig 11 registered as a pro- 
gram of the IC card terminal 2b, and the time stamp 
TSi t corresponding to the update information t 8 is 5 
obtained as follows: 

TSio-^TSS-^TSig-* >TS> t 

(2) The IC card terminal 2b verifies the validity of 
the signature ST^TS 8 ^ by the time stamp TSi t 
obtained by the above calculation and the public 10 
key nT 8 received from the IC card 6. 

(3) When the digital signature is not valid, the IC 
card terminal 2b decides that the IC card 6 is abnor- 
mal or invalid and stops further processing, then 
ejecting or returning the IC card 6 to the user. is 

(4) When the digital signature is valid, the IC card 
terminal 2b compares update information t> corre- 
sponding to the above-noted terminal identification 
number IDT> in the troubled terminal list and the 
update information t 8 received from the IC card 6. 20 

(5) When t 8 ^ tf, the update information t a is judged 
as update information generated before the pieces 
of data ID"P, T& 0 and were registered in the termi- 
nal list; that is, the IC card 6 is judged to be an IC 
card whose card usage information (terminal identi- 25 
fication number ID"P, update information f public 
key nV and digitally-signed time stamp ST^TS^) in 
the usage information area 6M 2 had been updated 

by a stolen IC card terminal 2j (not shown) of the 
identification number IDT before it was stolen. As 30 
the result of this, the IC card terminal 2b regards 
the IC card 6 as valid and performs the subsequent 
processing accordingly. 

(6) When t 8 > t the update information t 8 is judged 

as update information generated after the pieces of 35 
data IDTi, TSi 0 and t> were registered in the troubled 
terminal list; that is, the IC card 6 is judged to be an 
IC card whose card usage information was updated 
by the IC card terminal 2j of the identification 
number ID"P after it had been stolen. As the result 40 
of this, the IC card terminal 2b regards the IC card 
6 as invalid and discontinues the process and 
ejects or detains the IC cards in the IC card terminal 
2b. 

45 

Fig. 12 illustrates another embodiment of the inven- 
tion which provides further increased security through 
use of random numbers in the Fig. 10 embodiment as in 
Fig. 6. In a ROM 61 of the IC card 6 there are recorded 
an algorithm for generating the digital signature and an so 
algorithm for generating the random numbers. In the 
card information area 6Mj in the EEPROM 64 of the IC 
card 6 there are stored the information in the card infor- 
mation area SM^ in Fig. 1 0, together with the card secret 
keys pU and qU and the public key nU for the verifica- 55 
tion of the digital signature. In this case, however, the 
master digital signature used is SA(IDU * nU). In the 
usage information area 6M 2 in the EEPROM 64 there 



are held all pieces ^^fd usage information received 
from the previously used IC card terminal 2a, that is, the 
terminal identification number IDT 8 , the public key nT 8 , 
the master digital signature SAfnT 8 * IDT 8 ) for them, the 
update information t 8 , the random number R 8 , the previ- 
ously generated random number X, a first digital signa- 
ture ST^R 8 * X * V * IDU) = S 8 generated by the 
previously used IC card terminal 2a for the random 
numbers R 8 and X, the remaining value V and the card 
identification number IDU, and a second digital signa- 
ture ST^TS 8 ! * S 8 ) generated by the previously used IC 
card terminal 2a for the first digital signature S 8 and the 
time stamp TS 8 . 

When inserted into the IC card reader/writer 1 1 of 
the IC card terminal 2b. the IC card 6 sends thereto the 
card identification number IDU, the public key nU and 
the master digital signature SA(SDU * nU) as in the 
case of Fig. 10. and the IC card terminal 2b verifies the 
master digital signature SA(IDU * nU) by the public key 
nU. When the master digital signature is valid, the IC 
card terminal 2b sends the terminal identification 
number IDT*, the public key nT* 5 and the master digital 
signature SAflDT* * nT* 5 ) to the IC card 6. The IC card 
6, in turn, verifies the master digital signature SA(IDT b 
*nT b ) and, if valid, sends to the IC card terminal 2b the 
pieces of data R a , X, V, IDU. S 8 , IDT 8 , t 8 , SAfnT 8 * IDT 8 ), 
nT 8 and S'PCTS^ * S 8 ) which are the previous card 
usage information. 

Then the IC card terminal 2b verifies the validity of 
the first digital signature S 8 by the public key nT 8 . When 
the signature S 8 is valid, the IC card terminal 2b 
matches the received terminal identification number 
IDT 8 with data in the troubled terminal list, and if the 
former does not match the latter, the IC card terminal 2b 
generates the random number R b and sends it to the IC 
card 6. In response to this, the IC card 6 generates the 
random number X' and generates a digital signature 
SU(R b * X' * V) for the random numbers R b and X' and 
the remaining value V by use of the secret keys pU and 
qU, then sends it to the IC card terminal 2b together with 
the random number X' and the card public key nU. The 
IC card terminal 2b, in turn, checks the validity of the 
received digital signature SU(R b * X' * V) by the public 
key nU also received from the IC card 6. When the dig- 
ital signature is valid, the IC card terminal 2b displays 
the remaining value V on the display 13 and then pro- 
vides a predetermined service. After completion of the 
service the IC card terminal 2b obtains the new remain- 
ing value V and generates a first digital signature 
ST*(R b * X' * V * IDU) = S b for the random numbers R b 
and X'. the remaining value V and the card identification 
number IDU by use of the terminal secret keys pT* and 
qT* and, at the same time, generates a second digital 
signature ST b (TS b t * S 5 ) for the time stamp TS^ and the 
first digital signature S b , thereafter sending them to the 
IC card 6 together with the new remaining value V and 
the update information t 13 . The IC card 6 checks the 
validity of the received first digital signature S b by the 
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terminal public key nT* also rel^Pb from the IC termi- 
nal 2b and, if it is valid, then updates the usage informa- 
tion area 6M 2 with the whole information received from 
the IC terminal 2b. In the event that the validity of the 
digital signature cannot be verified in the above, the IC 5 
card terminal 2b stops processing at that point and 
ejects or returns the IC card 2. 

In the case where the data ID"P that matches the 
data IDT* sent to the IC card terminal 2b is found in the 
troubled terminal list, the same process as described 10 
previously is performed. In this embodiment, since the 
random numbers R and X, generated by the IC card ter- 
minal 2 and the IC card 6, are utilized in the transmis- 
sion and reception of information between them, the 
contents of signals will not ever become the same; is 
hence it is possible to prevent an abuse using an inter- 
cepted signal. Moreover, since the IC card 6 and the IC 
card terminal 2 not only conduct mutual verification of 
the master digital signature but also generates their own 
digital signatures and mutually verify them, the system 20 
security can be further increased. 

Also in the embodiment of Fig. 12, by prestoring 
algorithms for encryption and decryption of transmis- 
sion data and common encrypting and decrypting keys 
in the memories of the IC card 6 and the IC card termi- 25 
nal 2, the communication between them can be made 
by a cipher communication-this also provides further 
increased security. 

As described above, according to the embodiment 
of Figs. 10 and 12, when the IC card 6 is used, the ter- 30 
minal identification number of the IC card terminal 2 
used, the public key for verifying the digital signature 
generated by the IC card terminal 2, the digital signature 
produced by the IC card terminal 2 for the time stamp at 
the time of the use of the IC card 6 and update informa- 35 
tion of the time stamp are recorded as card usage infor- 
mation in a predetermined memory area in the IC card 
6. When the IC card 6 is used next at a different IC card 
terminal 2, the IC card 6 sends thereto the card usage 
information recorded in the above-said memory, and the 40 
IC card terminal 2 specifies the previously used IC card 
terminal on the basis of the terminal identification 
number in the card usage information sent from the IC 
card 6. The IC card terminal 2 matches the specified 
terminal number with those registered in the terminal list 45 
in the IC card terminal 2, and if the specified terminal 
number matches any one of the registered one, then the 
IC card terminal 2 will read out of the terminal list the ini- 
tial value of the time stamp corresponding to the regis- 
tered terminal number and the update information also so 
corresponding thereto. 

The IC card terminal 2 updates the initial value of 
the time stamp by a predetermined algorithm on the 
basis of the update information received from the IC 
card 6 to obtain the time stamp of the IC card terminal ss 
at the time when its was used previously. The IC card 
terminal 2 verifies the validity of the digital signature for 
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key received from the^^ard 6 to ensure that the 
update information received from the IC card 6 is valid. 
When the update information is valid, the IC card termi- 
nal 2 matches it with the pieces of update information 
recorded in the afore-said terminal list to make a check 
to see if the time of the previous use of the IC card at the 
IC card terminal 2, registered in the above-mentioned 
terminal list of the IC card 6 goes before or comes after 
the time when the terminal number was registered in the 
terminal list. If the IC card terminal 2 fails to verify the 
validity of the digital signature, it will judges that the 
update information or digital signature received from the 
IC card 6 is not normal or valid information and proc- 
esses the IC card as an abnormal or invalid card. Fur- 
thermore, if the terminal identification number of the IC 
card terminal 2 is specified in the management center 4, 
the initial value of the time stamp of the IC card terminal 
of the specified terminal identification number and the 
update information at that time point can be known and 
these pieces of information can be registered in the ter- 
minal list of the IC card terminal 2. 

Next, a description will be given of an embodiment 
wherein the IC card of the present invention is applied to 
a credit card. In this embodiment the IC credit card sys- 
tem to which the IC card and the IC card terminal of the 
present invention are applied has the same configura- 
tion as shown in Fig. 1. The IC card terminals 2a, 2b, 
• • • perform the verification processing by use of the 
IC card 6 and provide various services. The manage- 
ment center 4 holds the charges for the services used 
by the IC card 6. Each IC card terminal 2 stores in its 
memory the identification numbers of the IC cards used 
at that terminal and the charges for the services ren- 
dered and automatically calls the management center 4 
at regular time intervals, for example, every day and 
transmits the stored information to the management 
center 4 via the communication network 3. The man- 
agement center 4 sums up the charges for each card 
identification number and demands payment of each 
user every month, for instance. The internal construc- 
tions of each IC card terminal 2 and the IC card 6 are 
the same as shown in Figs. 2 and 3. 

Fig. 1 3 is a diagram for explaining the procedure for 
the user to register a password in the IC card 6 by use 
of the IC card terminal 2. In the card information area 
61^ of the EEPROM 64 of the IC card there are written, 
at the time of issuing the IC card 6 from the IC card dis- 
penser 5, the identification number IDU for specifying 
the user, a password setting number Ns assigned to 
each user, a master digital signature SA(Ns) generated 
by the management center 4 for the password setting 
number Ns by use of a master key, and master digital 
signature SA(IDU * SA(Ns)) generated by the manage- 
ment center 4 for the identification number IDU and the 
master digital signature SA(Ns) by use of the master 
key. When these pieces of data are written, the validity 
of the password setting number Ns can be checked 
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SA(Ns) by the public key nl 

In the terminal information area 2M«| of the RAM in 
the telephone controller 14 of the IC card terminal 2 
there are prestored the master public key nA for verify- 
ing the master digital signatures created by use of the 
master key, the terminal secret keys pT and qT for gen- 
erating the digital signature by the IC card terminal 2 
and the terminal public key nT for verifying the digital 
signature created by the IC card terminal 2. 

When inserted into the IC card readerMriter 11 of 
the IC card terminal 2, the IC card 6 sends thereto the 
identification number IDU, the master digital signature 
SA(Ns) and the digital signature SA(IDU * SA(Ns)). The 
IC card terminal 2 verifies, in turn, the digital signature 
SA(IDU * SA(Ns)) by the master public key nA to ensure 
the validity of the identification number IDU. If the iden- 
tification IDU is judged to be invalid, then the IC card 6 
is ejected or returned and the process is discontinued. 
When the identification number IDU is judged to be 
valid, a prompt for the "input of password" is displayed 
on the display 13. During the display of this prompt the 
input of a password is enabled and the selection of the 
password registration by pressing a particular one the 
function buttons 14 is made effective. 

Upon selective pressing of the password registra- 
tion command button among the function buttons 14, 
the IC card terminal 2 proceeds to the password regis- 
tration process. The IC card terminal 2 sends a notice of 
the password registration to the IC card 6 to indicate 
thereto the start of the password registration process, 
while at the same time the IC card terminal 2 provides a 
display "ENTER IDENTIFICATION NUMBER" on the 
display 13 to urge the user to enter the identification 
number. Upon entering of the identification number IDU' 
by the user with pushbuttons, the IC card terminal 2 
matches it with the identification number IDU previously 
received from the IC card 6 to check the validity of the 
identification number IDU* input by the user. When the 
both identification numbers do not match, the IC card 
terminal urges again the user to input the identification 
number. If the identification number IDU' does not 
match the previous one IDU even after being entered 
three times, for instance, the IC card terminal 2 judges 
that the IC card 6, discontinuing the process. When the 
identification numbers match, the IC card terminal 2 
produces a display "ENTER PASSWORD SETTING 
NUMBER" on the display 13, prompting the user to 
enter the setting number. 

Upon entering the setting number Ns* by the user 
with pushbuttons, the IC card terminal 2 sends the set- 
ting number Ns' to the IC card 6. The IC card 6 matches 
the currently received setting number Ns' with the set- 
ting number Ns prestored in the afore-mentioned mem- 
ory to check the validity of the setting number Ns* 
entered by the user. If they not match, the IC card 6 
sends a mismatch notice to the IC card terminal 2, 
which urges again the user to enter the setting number. 
In the event that the current setting number does not 



match the previous^^iven after being entered three 
time, for example, the IC card terminal 2 judges that the 
IC card 6 being used is abused and ejects it and discon- 
tinues the process. When the setting numbers match, 

5 the IC card 6 sends an authentication signal OK (a first 
authentication notice) to the IC card terminal 2. The IC 
card terminal 2 provides a display "ENTER PASS- 
WORD" on the display 13, prompting the user to enter 
the password. Upon entering of the password Nc by the 

10 user with pushbottons, the IC card terminal 2 creates a 
digital signature ST(Nc) for the password Nc by use of 
the terminal secret keys pT and qT and sends the digital 
signature ST(Nc) and the terminal public key nT to the 
IC card 6 together with the password Nc. The IC card 6 . 

15 verifies the digital signature ST(Nc) by the terminal pub- 
lic key nT to check the validity of the password Nc. 
When the password Nc is valid, it is recorded in the 
RAM 62. The IC card 6 becomes enabled for use only 
after the password Nc is thus registered therein. 

20 While in the above the setting number Ns' is verified 
on the IC card 6, it can also be checked at the IC card 
terminal 2 if the setting number Ns is also sent to the IC 
card terminal 2 together with the card identification 
number IDU at the beginning. However, this procedure 

25 is not preferable from the viewpoint of security, because 
the setting number Ns-information that must be kept 
strictly secret-is transmitted from the IC card 6. 
Besides, in the case where the identification number or 
setting number, entered by pushbuttons, do not match 

30 the previous one even after being entered three time, 
the IC card 6 could be disabled for further use by writing 
thereinto to the effect that the IC card 6 is invalid or 
abused. 

Fig. 14 is a diagram for explaining the process in 

35 which the user receives a service at the IC card terminal 
2 through use of the IC card 6 which is a credit card. In 
the RAM 62 of the IC card 6 there is recorded the pass- 
word Nc in the manner described above. When inserted 
into the IC card reader/writer 12 of the IC card terminal 

40 2, the IC card 6 sends thereto the identification number 
IDU and the master digital signatures SA(Ns) and 
SA(IDU * SA(Ns)). The IC card terminal 2 verifies the 
digital signature SA(IDU * SA(Ns)) by the master public 
key nA to check the validity of the identification number 

45 IDU. When the identification number IDU is not valid, 
the IC terminal 2 ejects the IC card 6 and discontinues 
the process. When the identification number is valid, the 
IC card terminal 2 provides a display "ENTER PASS- 
WORD" on the display 13. While this display is being 

so provided, the entering of the password is allowed or 
enabled and the re-registration of the password by 
pressing the function buttons 14 is also effective. In 
other words, if desired, the password can be changed. 
At this time, when the user dials the password Nc', it is 

55 sents to the IC card 6, wherein it is matched with the 
prestored password Nc. When they do not match, the IC 
card 6 sends a mismatch notice to the IC card terminal 
2, which prompts the user to re-enter the password. In 
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the even that the password^PEs not match the 
prestored one even after entered three times, for exam- 
ple, the IC card terminal 2 judges that the IC card 6 is 
invalid, then ejects it and discontinues the processing. 

When the password matches the prestored one, the s 
IC card 6 sends an authentication signal OK (a second 
authentication notice) to the IC card terminal 2, which, 
in turn, provides on the display 13 an indication that the 
user's specified service is possible, and then provides 
the service. For instance, in the case of a communica- 10 
tion service by telephone, the IC card terminal 2 dis- 
plays that the telephone number of the other party to be 
called can be dialed, and then connects the user to the 
party of the number dialed by the user. Thus, the user is 
allowed to receive the communication service and upon is 
completion of the service the IC card terminal 2 records, 
in the service information area 2M 6 of its internal mem- 
ory, the identification number IDU identifying the user, 
the date of use D and the charge V and then ejects the 
IC card 6, completing the process. The data stored in 20 
the internal memory is transmitted to the management 
center 4 once or twice daily, for example. The manage- 
ment center 4 sums up the charges for each identifica- 
tion number and submits bills to the users and receives 
payments therefrom every month. 25 

Fig. 15 is a diagram illustrating another embodi- 
ment of the present invention which provides increased 
security of the password registration process shown in 
Fig. 13. In the card information area ShA^ in the EEP- 
ROM 64 of the IC card 6 there are stored the card secret 30 
keys pU and qU for generating the digital signature by 
the IC card 6 and the card public key nil for verifying the 
digital signature created by the IC card 6 as well as the 
pieces of information or data IDU, Ns, SA(Ns) and 
SA(IDU * SA(Ns)) shown in the corresponding area in 35 
Fig. 13. Furthermore, the IC card 6 and the IC card ter- 
minal 2 each have a random number generating pro- 
gram stored in its memory. In the password registration 
process, when the user enters the password Nc by 
pushbuttons after the verification of the identification 40 
number IDU' and the setting number Ns' by the above- 
described procedures, the IC card terminal 2 creates 
the random number R and sends it to the IC card 6. The 
IC card 6, in turn, creates the random number X and 
then generates a digital signature SU(R * X) for the ran- 45 
dom numbers R and X by use of the card secret keys pU 
and qU, thereafter sending the random number X and 
the card public key nil to the IC card terminal 2 together 
with the digital signature SU(R * X). 

The IC card terminal 2 verifies the digital signature so 
SU(R * X) by the card public key nli to ensure that the 
IC card 6 is a valid party. Then the IC card terminal 2 
creates a digital signature ST(R * X * Nc) for the random 
numbers R and X and the password Nc by use of the 
terminal secret keys pT and qT and transmits the termi- ss 
nal public key nT and the password Nc to the IC card 6 
together with the digital signature ST(R * X * Nc). The IC 
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terminal public key nT to^p&re that the IC card termi- 
nal 2 and the password Nc are valid, and records the 
password Nc in the RAM 62. In this embodiment, since 
the random numbers generated by the IC card terminal 
2 and the IC card 6 are used in the transmission and 
reception of data between them, the signals used will 
not ever have the same contents-this prevents an 
abuse of the system through utilization of an intercepted 
signal. Moreover, the IC card terminal 2 and the IC card 
6 create digital signatures and verify them by each 
other, providing increased security. 

Fig. 16 is a diagram showing another example of 
the process for receiving a service at the IC card termi- 
nal 2 through use of the IC card described previously 
with reference to Fig. 14. When the user enters the 
password Nc' by pushbuttons after he inserted the IC 
card 6 into the IC card terminal 2 and the identification 
number IDU was verified by the procedure as described 
previously in respect to Fig. 14, the IC card terminal 2 
generates the random number R and sends it to the IC 
card 6 together with the password Nc'. The IC card 6 
matches the received password Nc* with the password 
Nc stored in the memory and, if they match each other, 
the IC card terminal 2 generates the random number X 
and creates the digital signature SU(R * X) for the ran- 
dom numbers R and X by use of the card secret keys pU 
and qU, thereafter sending the random number X and 
the card public key nU to the IC card terminal 2 together 
with the digital signature SU(R * X). 

The IC card terminal 2 verifies the digital signature 
SU(R * X) by the card public key nU and judges that the 
IC card 6 and the password are both valid, and then the 
IC card terminal 2 provides on the display 13 an indica- 
tion that the service specified by the user is possible 
and executes the service. Upon completion of the serv- 
ice, the IC card terminal 2 records the identification 
number identifying the user, the data of use D and the 
service charge V in the service information area 2M 6 in 
its internal memory and then ejects the IC card 6, thus 
completing the process. As is the case with the Fig. 14 
embodiment, the data in the service information area 
2M 6 is transmitted to the management center 4 periodi- 
cally, or when the amount of data stored reaches a fixed 
value, or when the IC card terminal 2 is polled by the 
management center 4. 

In the above, it is possible to deal with the loss of 
the IC card 6 or similar trouble, by adopting a system 
configuration in which the card identification number 
IDU for specifying the IC card 6 and the master digital 
signature SA(IDU) 

In the above, if the card identification number IDU 
for specifying the IC card 6 and the master digit signa- 
ture SA(IDU) for the card identification number IDU cre- 
ated by the management center 4 by use of the master 
key are registered in the EEPROM 64 of the IC card 6 
when the IC card 6 is issued by the management center 
4, and also rf the card identification number IDU is sent 



card 6 verifies the digital signature ST(R * X * Nc) by the together with the master digital signature (SA(IDU) to 



14 



27 



EP 0 856 821 A2 



the IC terminal 2 when th^^Brd 6 is inserted into the 
IC card terminal 2 then the IC card terminal 2 can verify 
the master digital signature SA(IDU) by use of the mas- 
ter public key to check the validity of the card identifica- 
tion number. As a result, it is possible to deal with the 5 
loss of the IC card 6 or similar trouble. In other words, 
when the user reports the loss of the IC card 6 to the 
management center 4, the latter registers the card iden- 
tification number of that IC card 6 in a black list in the IC 
card terminal 2 by down load. The IC card terminal 2 w 
compares the card identification number IDU with those 
in the black list when the IC card 6 is inserted thereinto. 
If the card identification number of the inserted IC card 
6 matches any one of the identification numbers regis- 
tered in the black list, then the IC card 6 can be inhibited 15 
from use. 

With a system configuration in which date informa- 
tion is prestored in the EEPROM 614 of the IC card 6 
and sent to the IC card terminal 2 together with the card 
identification number IDU when the IC card 6 is inserted 20 
thereinto and compared with a calendar incorporated in 
the IC card terminal 2 to judge whether the IC card 6 
can be used or not, it is possible to employ the IC card 
6 as a card having a limited term of validity. 

By storing algorithms for encryption of transmission 25 
data and common keys for encryption and decryption in 
both of the IC card 6 and the IC card terminal 2, the 
communication between them can be made as a cipher 
communication, providing increased security. 

As will be seen from the above, in the case of 30 
employing the IC card 6 and the IC card terminal 2 in the 
embodiments of Figs. 13 through 16, the IC card 6 and 
the IC card terminal 2 mutually verify their validity and 
the validity of the user is verified by the IC card 6 
through the IC card terminal 2— this eliminates the need 35 
of accessing the management center having a data- 
base concerning user information when receiving a 
service or setting a password, and hence permits easy 
system configuration. Since there is no need of access- 
ing the management center, the verification time can be 40 
reduced and the operabilrty of the system is increased. 
Moreover, since the identification number is verified on 
the basis of the digital signature created by use of the 
master key that is known to the management center 
alone, the digital signature could never be created using 45 
the identification number of another user, for example. 
Further, the password cannot be known from an IC card 
picked up and the identification number and the setting 
number are also unknown; hence, the password cannot 
be changed either. It is possible, therefore, to construct so 
a system of excellent security. 

Fig. 17 illustrates a modified form of the IC card 
system shown in Fig. 1 6. The IC card terminal 2 and the 
IC card 6 are identical in their internal construction with 
those depicted in Figs. 2 and 3. In the card information 55 
area 6M t in the EEPROM 64 of the IC card 6 there are 
prestored, at the time of issuing the IC card 6, the secret 
keys pU and qU for the creation of its digital signature, 
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the public key nU ffl^prfying the digital signature, the 
IC card identification number IDU and the master digital 
signature SA(nU * IDU) of the management center 4 for 
the identification number IDU and the public key nU. 
The IC card 6 has the password Nc stored therein by the 
process described previously with respect to Fig. 15 or 
17. The identification number IDU of the IC card 6 is 
prestored in the management center 4. The user inserts 
the IC card 6 into the IC card terminal 2 when to receive 
his desired service. After completion of the service, the 
management center 4 performs the charging process 
for the IC card 6 used. 

When inserted into the IC card reader/writer 1 1 of 
the IC card terminal 2, the IC card 6 sends thereto the 
pieces of information nU, IDU and SA(nU * IDU). The IC 
card terminal 2 verifies the master digital signature 
SA(nU * IDU) by the master public key nA and, if it is 
valid, provides a guidance on the display 13 to prompt 
the user to enter the password Nc. 

When the user enters the password Nc* by function 
buttons 12, the IC card terminal 2 sends the entered 
password Nc' and the random number R, generated by 
the IC card terminal 2, to the IC card 6. The IC card 6 
matches the received password Nc' with the password 
Nc prestored in the memory. When they match each 
other, the IC card 6 generates the random number X 
and creates the digital signature SU(R * X * Nc) for the 
random numbers R and X and the password Nc by use 
of the secret keys pU and qU stored in the card informa- 
tion area 6M-, in the EEPROM 64. The digital signature 
SU(R * X * Nc) thus created is transmitted to the IC card 
terminal 2 together with the random number R. 

The IC card terminal 2 verifies the digital signature 
SU(R * X * Nc) by the card public key nU also received 
from the IC card 6 and, if the digital signature is valid, 
then displays a guidance on the display 1 3 to prompt the 
user to specify the service to be provided. In the case of 
a communication service by telephone, the user enters 
the telephone number of the other party's telephone 
(not shown) by the function buttons 12, after which a call 
to the other party's telephone is originated. Upon com- 
pletion of the call or communication, the IC card termi- 
nal 2 transmits to the IC card 6 information which is 
used to deal with a trouble, such as the service charge 
V, the data D and the terminal identification number IDT, 
and service information M = (V * D * IDT) which the user 
wants to make sure afterward. The IC card 6 stores the 
service information M in the EEPROM 64 and creates 
and sends a digital signature SU(M * IDU) for the serv- 
ice information M and the card identification number 
IDU to the IC card terminal 2. 

The IC card terminal 2 verifies the digital signature 
SU(M * IDU) by the card public key nU and, if valid, tem- 
porarily stores it in the service information area 2M 6 of 
the memory in the telephone controller 14 together with 
the pieces of information IDU, nU and M. The data thus 
stored in the service information area 2M 6 is transmitted 
via the communication network 3 to the management 
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center 4, for example, every vO^pbr when the amount 
of data thus stored reaches a fixed value, or the IC card 
terminal 2 is polled by the management center 4. It is 
also possible to directly connect portable terminals to 
the IC card terminal 2 to receive and send therefrom the 
digital signature SU(M * IDU) to the management center 
4. The management center 4 further verifies the digital 
signature SU(M * IDU) and records the service informa- 
tion M for each IC card identification number IDU, which 
is used for charging purpose or for making various 
inquiries. 

It is possible to provide increased security against 
wire tapping through utilization of a method in which the 
IC card 6 and the IC card terminal 2 both have a specific 
key for encrypting and decrypting various pieces of 
information which are transmitted and received between 
the IC card 6 and the IC card terminal 2. Moreover, by 
making provision for prestoring term-of-validity informa- 
tion in the IC card and verifying it by a clock in the IC 
card terminal, it is possible to inhibit the abuse of the IC 
card after being lost. 

With an arrangement wherein the identification 
number IDC of the card dispenser 5 which records initial 
information in the IC card, the master digital signature 
SA(IDC) of the management center 4 for the identifica- 
tion number IDC and the master public key nA for verify- 
ing the signature are prestored in the IC card at the time 
of issuing it and these pieces of information are trans- 
mitted to the IC card terminal 2 for verification when the 
IC card 6 is used, it is possible to make a check to see if 
the IC card 6 is a valid one issued from the valid IC card 
dispenser. 

While in the above embodiments the user enters 
the password into the IC card terminal with a view to 
preventing the abuse of a lost IC card, the password 
may be omitted according to services or in accordance 
with user's wishes. In this instance, the process shown 
in Fig. 17 is performed without using the password Nc. 

Further, in transmission of data to the management 
center 4, for example, in a practical system in which the 
present invention is implemented, data C which is not 
particularly needed may be added to data nU, IDU, 
SA(nU * IDU) so that a sufficient amount of data nU, 
IDU, C and SA(nU * IDU * C) can be transmitted to pre- 
vent abuse of a card if it is not possible to prevent an IC 
card from being abused by transmitting only data nU, 
IDU, SA(nU*IDU) or the like. 

Thus, according to the embodiment of Fig. 17, 
since the information for specifying the IC card 
appended with the digital signature of the management 
center 14 can be verified at the IC card terminal, the 
management center 4 having a database concerning IC 
cards need not be accessed before receiving services 
and the use of an invalid IC card can be prevented. 
Moreover, the service information such as the service 
charge to be paid or the history of use which is used in 
the case of a trouble or used as a reference by the user 
is appended with the digital signature of the IC card and 



transmitted to the IC ca^^Fninal, from which the serv- 
ice information appended with the digital signature is 
transmitted to a charging center for storage therein. The 
service information thus stored in the center can be 
5 used as evidence in the case of dealing with a trouble. 
It will be apparent that many modifications and var- 
iations may be effected without departing from the 
scope of the novel concepts of the present invention. 

w Claims 

1 . A method of settling charges in response to the use 
of an IC card that has been issued from a manage- 
ment center through an IC card dispenser, for 

15 obtaining a service at an IC card terminal, said IC 
card terminal having terminal information memory 
means into which are written from said manage- 
ment center a master public key nA for verification 
of a master digital signature SA created by said 

20 management center by use of master keys pA and 
qA, terminal secret keys pT and qT for enabling 
said IC card terminal to create a digital signature, a 
terminal public key nT for verification of said digital 
signature created by said IC card terminal, a termi- 

25 nal identification number IDT and a second master 
digital signature SA2 created by use of said master 
keys pA and qA for information including said termi- 
nal identification number IDT and said terminal 
public key nT, said IC card having card information 

30 memory means into which are written from said 
management center said master public key nA, 
card secret keys pU and qU for enabling said IC 
card to create a digital signature, a card public key 
nU for verification of said digital signature created 

35 by said IC card, a card identification number IDU, a 
first master digital signature SA1 created by use of 
said master keys pA and qA for information includ- 
ing said card identification number IDU and said 
card public key nU, amount value information V and 

40 a third master digital signature SA3 for information 
including said amount value information V and said 
card identification number IDU, said method being 
characterized by: 

45 a step wherein said IC card transmits said card 

public key nU, said card identification number 
IDU and said first master digital signature SA1 
to said IC card terminal; 
a step wherein said IC card terminal verifies 

so said first master digital signature SA1 received 

from said IC card and, if it is valid, transmits an 
authentication notice to said IC card; 
a step wherein said IC card creates a card dig- 
ital signature SU for information including said 

55 amount value information V by use of said card 

secret keys pU and qU, and transmits said 
amount value information V and said card dig- 
ital signature SU to said IC card terminal upon 
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receiving said autfl^^Sation notice from said 
IC card terminal; 

a step wherein said IC card terminal verifies 
said card digital signature SU received from 
said IC card by use of said card public key nil 5 
and, if said amount value information V 
received from said IC card is correct and also 
the amount value is larger than a charge 
needed to carry out said service, initiates said 
service; 10 
a step wherein, after completion of said serv- 
ice, said IC card terminal creates an updated 
remaining amount value V in which said 
charge for said service is subtracted from said 
amount value and also creates a terminal dig- is 
ital signature ST for information including said 
updated remaining amount value V and said 
card identification number IDU by use of said 
terminal secret keys pT and qT; 
a step wherein said IC card terminal transmits 20 
said terminal digital signature ST, said updated 
remaining amount value V, said second mas- 
ter digital signature SA2, said terminal public 
key nT and said terminal identification number 
IDT to said IC card; and 25 
a step wherein said IC card verifies said sec- 
ond master digital signature SA2 and said ter- 
minal digital signature ST received from said IC 
card terminal by use of said master public key 
nA and said terminal public key nT, respec- 30 
tively, and, if they are valid, stores said updated 
remaining amount value V in said card infor- 
mation memory means. 

The method of claim 1 wherein said IC card termi- 35 
nal includes means for storing invalid card identifi- 
cation numbers as a card identification number list, 
and said IC card includes means for storing usage 
information which is information including the 
remaining amount value V when said IC card was 40 
last used; and wherein 

said IC card transmits said card identification 
number IDU and said usage information in addition 
to said amount value information V and said card 
digital signature SU to said IC card terminal when 45 
said authentication notice is received from said IC 
card terminal; 

said IC card terminal compares said card 
identification number IDU received from said IC 
card with the card identification numbers in said so 
card identification number list and, when said card 
identification number IDU does not accord with any 
one of the card identification numbers in said card 
identification number list, initiates said requested 
service; and 55 

said IC card stores information including 
said remaining amount value V and said terminal 
identification number IDT received from said IC 



card terminal as^^fed usage information in said 
card information memory means when said second 
master digital signature SA2 and said terminal dig- 
ital signature ST are valid. 

The method of claim 2 further including the steps 
of: 

creating, at said IC card terminal, usage/man- 
agement information from information including 
said amount value information V, said card 
identification number IDU and said usage infor- 
mation received from said IC card prior to the 
start of said service, only in the case of trans- 
mitting said updated amount value information 
V to said IC card; 

transmitting said usage/management informa- 
tion from said IC card terminal to said manage- 
ment center together with said card 
identification number IDU; and 
additionally storing, at said IC card terminal, 
any card identification number received from 
said management center in said card identifica- 
tion number list. 

The method of claim 3 wherein said management 
center has a database for storing usage/manage- 
ment information for each IC card identification 
number, and compares said card identification 
number IDU and said usage/management informa- 
tion received from said IC card terminal with card 
identification numbers and usage/management 
information registered in said database, respec- 
tively, and when said card identification number IDU 
and said usage/management information do not 
accord with any of said card identification numbers 
and any of said usage/management information's, 
respectively, additionally registers said card identifi- 
cation number IDU and said usage management 
information received from said IC card terminal in 
said database, whereas when said card identifica- 
tion number IDU and said usage/management 
information accord with one of said card identifica- 
tion numbers and one of said usage/management 
information, respectively, said management center 
transmits said card identification number IDU to 
said IC card terminal. 

The method of claim 2 f 3 or 4, wherein at least one 
of said IC card and said IC card terminal has ran- 
dom number generating means, and said usage 
information contains a random number generated 
by said random number generating means. 
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(54) Method of settling charges 

(57) An IC card (6) has a card information memory 
area wherein there are written a master public key nA, 
card secret keys pU and qU, a card public key nil, a 
card identification number IDU, and a first master digital 
signature SA1 for information including the card identifi- 
cation number. An IC card terminal (2a, 2b) has terminal 
information memory area wherein there are written a 
master public key nA, terminal secret keys pT and qT, a 
terminal public key nT, a terminal identification number 
IDT, and a second master digital signature SA2 for infor- 
mation including the terminal identification number IDT. 
When inserted into the IC card terminal, the IC card 
sends thereto the data nU, IDU, and SA1. The IC card 
terminal verifies the digital signature SA1 by the master 
public key nA and, if it is valid, transmits the data nT, IDT 
and SA2 to the IC card. The IC card verifies the digital 
signature SA2 by the master public key nA and, if it is 
valid, transmits information corresponding to the current 
remainder value V to the IC card terminal. The IC card 
terminal makes a check to see if the received informa- 
tion corresponding to the remainder value V is appropri- 
ate, and if so, becomes enabled for providing a service. 
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